Skip to content
Naked Security Naked Security

Oracle issues nearly 300 patches in quarterly update

Oracle's latest security update covers 297 vulnerabilities, many of which come with a "patch now" warning.

Oracle is keeping people busy before the Easter weekend. The company has issued a raft of quarterly security updates for 297 vulnerabilities, along with an urgent warning to patch now.

The latest Critical Update Patch contains vulnerabilities spanning dozens of products including its Fusion Middleware product set, which received 53 new security fixes overall – 42 of them for vulnerabilities that could in theory be exploited remotely over a network with no user credentials

The Oracle E-Business Suite accounted for 35 new security fixes in the critical patch update – 33 of them for remotely exploitable bugs. The Suite encompasses business applications including enterprise resource planning, customer relationship management, and supply chain management.

Also high on the list of affected product groups was Oracle Communications Applications, which received 26 security fixes for vulnerabilities, 19 of which were remotely exploitable.

The software giant’s suite of retail applications got 24 security fixes between them; Oracle Database Server had six; Java SE, which Oracle acquired along with Sun Microsystems in 2010, had five holes patched.

Oracle is eager for customers to patch as quickly as possible and avoid any temporary workarounds, it said:

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

The vulnerability count seems high, but it’s on par for a company with such a vast range of products. The January 2019 critical patch update fixed 284 bugs, while the one before it in October 2018 saw 301.

Oracle could help alleviate security patching concerns for some users as it moves them to the cloud. Services that it patches automatically on its own infrastructure will hopefully be safer for users than those rushing to test and deploy patches on their own servers.

Last year, it announced a new cloud-based online transaction processing database service that automatically repairs itself and automates updates and security patches for customers. It said:

Security patches are automatically applied every quarter. This is much sooner than most manually operated databases, narrowing an unnecessary window of vulnerability.

The company is doing its best to bolster its cloud services business, which executives have said is a higher-margin operating line than on-premise software.


What is the benefit of only issuing patches quarterly rather than monthly?
This creates a longer window of vulnerability and a big slug of work for corporates to do when processing them.
(Plus alarming headline figures!)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!